Yahoo Announces Second Data Breach Affecting 1 Billion User Accounts
Yahoo has announced a second, larger security breach that affected 1 billion user accounts – the biggest known data breach to date at any company.
Yahoo said the breach occurred in August 2013, with an unauthorized third party stealing data from 1 billion users, including included names, email addresses, telephone numbers, dates of birth and hashed passwords. The company said it also, in some cases, included encrypted or unencrypted security questions and answers.
Yahoo said it did not appear that hackers gained access to passwords in clear text, payment card data or bank account information.
Yahoo said it has not yet identified how the attackers penetrated its systems, though it said it now working with law enforcement.
Yahoo said it discovered this second breach after further forensic expert analysis into the earlier breach it announced in September, which affected 500 million user accounts. It said this second and larger breach is likely distinct from the one announced earlier this year, which it attributed to nation-state attackers. That breach also affected names, email addresses, telephone numbers, birthdays, hashed passwords, and in some cases, encrypted or unencrypted security questions and answers.
Sam Heard, president of Lakeland, Fla.-based Data Integrity Services, said the scale of the breach demonstrates that data needs to be protected no matter where it sits, even with a brand as large as Yahoo or any other email provider.
"Everyone has been hacked. After a while, people just have to realize you have to keep your data encrypted or else," Heard said. "It's big," he said.
Heard said he thinks the Yahoo breach will raise awareness for the need for a layered security approach, which incorporates network, firewall, email and endpoint security, similar to how you might protect your home with a lock, deadbolt and alarm system.
"This is going to help people understand that you just can't get away with only one single solution. You have to have layered security, with multiple layers in hopes of stopping attacks," Heard said.
As a solution provider, Heard said events like this would likely continue to drive up security business as awareness increases. He said Data Integrity Services has already seen its security business grow more than 20 to 30 percent so far this year, especially around more advanced next-generation technologies. He said he is trying to hire an additional sales representative to keep up with client demand.
"We're really busy … It’s a good position to be in, unfortunately, I guess you could say," Heard said.
Yahoo said it is in the process of notifying users affected by the breach and will prompt them to change their passwords and security questions. It urged all users to check their accounts for suspicious activity, change their passwords and adopt the company's authentication tool.